FTC Amends Its COPPA Rule to Protect Children Online After Technology Advances In Gathering Their Personal Information
Technology advances often help consumers do things quicker or easier. For regulators and law enforcers, such advances often present challenges in keeping laws and regulations up to date. The latest example is amendments announced by the Federal Trade Commission (“FTC”) on December 19, 2012, to update its Children’s Online Privacy Protection Act (“COPPA”) Rule, which requires safeguards, such a pre-approval from parents before collecting personally identifiable information (“PII”) online from children under 13.
The phenomenon of regulatory obsolescence is nothing new. After much ado, the FTC in July 1975 announced its Mail Order Trade Regulation Rule, which governs disclosures of shipping dates, rights to cancel and timing of refunds for items ordered by mail. By the time of its press conference, the market had changed so that there was a wave of direct sales being made via 800-numbers phone orders. These were not covered by the Rule and there was almost no information in the rulemaking record about telephone sales. The Commission acknowledged that it would have to amend the Rule in due course, which it finally did in 1994---just as the new marketing phenomenon was internet sales.
With COPPA, like other regulations involving the internet and technology, changes occur in months or a year---not a decade---so the need to change the Rule accelerates quickly. For example:
--The original COPPA legislation, like the FTC’s Rule, defined a website “operator” as one that managed a website that obtained PII from children under 13. Children could not jump from a website to Facebook or another social network that would collect their PII.
--The original Rule regarded PII as comprising name, address, URL, phone and other common information. Nobody worried about face identification technology or so-called “persistent identifiers” that would not identify a child in the first instance, but could by repeated use over time.
--The original Rule anticipated that a child would be at a terminal and could get a parent or guardian to provide online permission so that the operator could obtain information from the child. Nobody anticipated that smart phones and other handheld devices could be moving terminals for children to receive requests for and deliver PII a long way from parents.
The 2012 Amendments address these and other recent changes to the electronic world. It is clear that some of these changes will be obsolete in relatively short order, even if we cannot easily anticipate when that will be. According to the FTC’s press announcement, the main final amendments:
- expand “PII” that needs parental consent to include geolocation information, photos, and videos;
- allow a streamlined, voluntary and transparent process for new ways of getting parental consent;
- stop third parties from collecting PII from children through plug-ins without parental consent;
- cover as PII persistent identifiers that recognize users, such as IP addresses and mobile device IDs;
- permit website operators to release PII only to those who can keep it secure and confidential;
- require covered website operators to adopt reasonable procedures for data retention and deletion; and
- strengthen the FTC’s oversight of self-regulatory safe harbor programs.
Full details are available at http://www.ftc.gov/opa/2012/12/coppa.shtm. The FTC asserts that it tried to be flexible (allowing new ways for parental permission) while catching changes in technology that had to be covered.
A dissent from issuing one of the amendments shows the riskiness of changing technology regulation by statute. Maureen Ohlhausen, the newest Commissioner but a long time senior staffer in Policy Planning, dissented on the ground that the FTC’s expansion of “website operator” to cover third parties using plug-ins was invalid because it went beyond the plain meaning of the term “website operator” in COPPA, on which the Rule is based. She did not claim to disagree with the FTC’s policy decision, but only concluded that their hands were tied by the limited definition in the statute.
Whether she is right or wrong in this instance, the reasoning shows why it can be risky for Congress to regulate too many details in a statute that will likely restrict Rule amendments needed for rapidly changing technology. In the 1975 Mail Order Rule, for example, no federal statute blocked the FTC from adding telephone orders when the world of marketing changed. For privacy and other tech-related topics, Congress will have to consider in future legislation whether it is allowing leeway for changes that cannot be anticipated.
As for website operators that collect PII from children under 13, or who meet the new FTC standards, it is time to make sure that their internal policies are consistent with the new requirements and that they are spelled out clearly in Privacy Policies on their websites.